Silon reborn: Tilon is tougher, harder to detect banking Trojan

Trusteer has discovered a new malware that is targeting banks. It bears some resemblance to the Silon, a piece of malware that defrauded customers protected by two-factor authentication. It underwent two revisions and continued to do well into last year, then went into decline.

Dubbed Tilon, it is a classic Man in the Browser (MitB) software, which captures all traffic carried by the browser (Internet Explorer, Firefox, Chrome). It captures all form submissions from the browser to the web server and transmits them to its command & control server. Thus it obtains information on all login credentials and transactions.

It also controls traffic to the browser and through a search and replace mechanism and replaces URLs and other text with text of its own. This is standard stuff of Zeus and other banking Trojans in recent years. What is interesting is the scope of evasion techniques it uses to duck detection by antimalware products.

It won’t install properly on a virtual machine, evading detection on machines that are often used by researchers rather than normal users. However, it goes a step further. Installing as a fake system tool so that it is dismissed, keeping its identity a secret.

It also installs with a real-looking service name and a random executable name. Once the service is run, it injects itself into sundry Windows services, then terminates itself from memory. Inside one of these processes, it monitors the service entry in the registry and the executable on disk. If these are touched, it restores them within three seconds, frustrating some antimalware products.

Tilon also has a unique way of “hooking” into the browser to evade detection by products looking for traditional hooking. Instead of the more customary method of copying the first five bytes of with a JMP stub, Tilon takes a completely different approach. It overwrites only the first byte with the byte OxFA which is Clear Interrupt Flags instruction, so when the CPU attempts to run it, an exception is thrown. The exception handler installed by Tilon catches it and the hooked logic runs thereafter.

The net result of all this is that thus far, only four of 41 antimalware tools caught Tilon, and those that did identified it as a fake system tool, rather than the banking Trojan it really is.